|
Oracle® Application Server Upgrade and Compatibility Guide
10g Release 2 (10.1.2) for UNIX Part No. B14090-05 |
|
 Previous |
 Next |
|
Oracle® Application Server Upgrade and Compatibility Guide
10g Release 2 (10.1.2) for UNIX Part No. B14090-05 |
|
|
Previous |
Next |
This chapter contains the following sections:
Task 1: Review Your OracleAS Identity Management Configuration
Task 2: Understand the OracleAS Identity Management Database Requirements
Task 3: Back Up the OracleAS Identity Management Installation
Task 7: Decommission the OracleAS Identity Management Source Oracle Home
|
Note: If you are upgrading a distributed OracleAS Identity Management environment, an OracleAS Identity Management replication environment, or if you are interested in the data migration method of upgrading OracleAS Identity Management, see Chapter 6, "Additional OracleAS Identity Management Upgrade Procedures". |
OracleAS Identity Management is part of the Oracle Application Server Infrastructure. It consists of:
|
See Also: Oracle Application Server Concepts for an overview of the OracleAS InfrastructureOracle Application Server Installation Guide for information about installing OracleAS Identity Management |
Before you upgrade OracleAS Identity Management, you should be familiar with the various configurations that you may have implemented at your site.
The OracleAS Identity Management you want to upgrade will vary depending upon whether you are running Oracle Application Server Release 2 (9.0.2) or Oracle Application Server 10g (9.0.4). The following sections describe the configuration options available for each version of Oracle Application Server:
Oracle Application Server Release 2 (9.0.2) OracleAS Identity Management Configuration Options
Oracle Application Server 10g (9.0.4) OracleAS Identity Management Configuration Options
In Oracle Application Server Release 2 (9.0.2), the components of OracleAS Identity Management are always installed with a OracleAS Metadata Repository. As a result, each Oracle Application Server Release 2 (9.0.2) Infrastructure installations is a colocated Infrastructure.
|
See Also: Section 1.1.2, "Reviewing Your Current OracleAS Infrastructure Configuration" for definitions of colocated and non-colocated OracleAS Infrastructure installations |
However, even though all Release 2 (9.0.2) OracleAS Identity Management installations include an OracleAS Metadata Repository, the Release 2 (9.0.2) Identity Management configuration can still be non-distributed or distributed.
In a non-distributed Release 2 (9.0.2) OracleAS Identity Management installation, Oracle Application Server Single Sign-On and Oracle Internet Directory share a metadata repository, as shown in Figure 5-1.
Alternatively, the Release 2 (9.0.2) Identity Management configuration can be distributed, in which Oracle Application Server Single Sign-On and Oracle Internet Directory each use a separate metadata repository. This is depicted in Figure 5-2.
Figure 5-1 Non-Distributed Identity Management
Figure 5-2 Distributed Identity Management in Release 2 (9.0.2)
Oracle Application Server 10g (9.0.4) introduced three OracleAS Infrastructure installation types. These installation types are also available in Oracle Application Server 10g Release 2 (10.1.2). These installation types allow you to install:
Identity Management and OracleAS Metadata Repository
Identity Management
OracleAS Metadata Repository
Selecting the Identity Management and OracleAS Metadata Repository installation type results in a colocated Infrastructure, where both the OracleAS Metadata Repository and OracleAS Identity Management are in the same Oracle home.
If you install only OracleAS Identity Management, you must provide connection details and logon credentials for a valid OracleAS Metadata Repository.
The option you choose when you install the OracleAS Infrastructure determines whether or not you are installing a colocated Infrastructure or a non-colocated Infrastructure.
|
See Also: Section 1.1.2, "Reviewing Your Current OracleAS Infrastructure Configuration" for more information about colocated Infrastructure and non-colocated Infrastructure installations |
As with Oracle Application Server Release 2 (9.0.2), your 10g (9.0.4) OracleAS Identity Management configuration can be distributed or non-distributed. The 10g (9.0.4) non-distributed configuration is the same as Release 2 (9.0.2) non-distributed OracleAS Identity Management configuration shown in Figure 5-1.
However, in 10g (9.0.4), the OracleAS Identity Management components do not require an OracleAS Metadata Repository in the same Oracle home. Consider the following examples of distributed OracleAS Identity Management installations:
Figure 5-3 shows how the OracleAS Single Sign-On component of OracleAS Identity Management can be installed in a separate 10g (9.0.4) Oracle home from the Oracle Internet Directory, but share the same OracleAS Metadata Repository.
Figure 5-4 shows an extension of the previous example. It introduces a third host, which is used to host an Oracle Application Server Certificate Authority (OCA) installation. The OCA installation uses the same Oracle Internet Directory as OracleAS Single Sign-On, but it has its own OracleAS Metadata Repository to store the OCA schema.
Figure 5-3 Distributed Identity Management in 10g (9.0.4) - Example 1
Figure 5-4 Distributed Identity Management in 10g (9.0.4) - Example 2
Oracle Application Server Certificate Authority (OCA) is an OracleAS Identity Management component that was introduced in 10g (9.0.4).
If you are upgrading from 10g (9.0.4) and you have installed and configured OCA, the OracleAS Identity Management upgrade procedure will also upgrade OCA.
However, if you are upgrading from Release 2 (9.0.2), and you would like to add OCA to your OracleAS Identity Management installation, you must install OCA into its own Oracle home after upgrading the other OracleAS Identity Management components to 10g Release 2 (10.1.2.0.2).
Specifically, you can add OCA to your existing OracleAS Identity Management Oracle environment as follows:
Upgrade the OracleAS Identity Management components to 10g Release 2 (10.1.2.0.2) as described later in this chapter.
Use the instructions in Chapter 7, "Upgrading the OracleAS Metadata Repository" to run the Metadata Repository Upgrade Assistant (MRUA).
If the OCA schema does not exist in the OracleAS Metadata Repository, MRUA will create the OCA schema.
Do one of the following:
Install OCA into a new 10g Release 2 (10.1.2.0.2) Oracle home that uses the existing Oracle Internet Directory, OracleAS Single Sign-On, and the upgraded OracleAS Metadata Repository where the new OCA schema now exists.
OR
Install OCA into a new 10g Release 2 (10.1.2.0.2) Oracle home with its own OracleAS Metadata Repository, but using the existing Oracle Internet Directory and OracleAS Single Sign-On.
Regardless of the OracleAS Identity Management configuration, all OracleAS Identity Management installations require access to an OracleAS Metadata Repository. The OracleAS Metadata Repository is required because OracleAS Identity Management depends upon specific schemas that are created in the OracleAS Metadata Repository during the OracleAS Metadata Repository installation.
When you upgrade OracleAS Identity Management, the upgrade procedure upgrades the OracleAS Identity Management schemas in the OracleAS Metadata Repository. However, it can only do so if the database that hosts the OracleAS Metadata Repository is upgraded to a database version supported by Oracle Application Server 10g Release 2 (10.1.2).
How you upgrade the database depends upon the whether or not the OracleAS Identity Management is part of a colocated or non-colocated Infrastructure.
|
See Also: Section 1.1.2, "Reviewing Your Current OracleAS Infrastructure Configuration" for a definition of colocated and non-colocated Infrastructures |
The following sections provide more details about the database requirements when upgrading OracleAS Identity Management:
Stopping the Database Listener When Prompted During the OracleAS Identity Management Upgrade
Summary of the OracleAS Identity Management Database Upgrade Requirements
If the OracleAS Identity Management you are upgrading is part of a colocated Infrastructure, Oracle Universal Installer automatically upgrades the OracleAS Metadata Repository database to a supported version when you upgrade OracleAS Identity Management.
After you upgrade OracleAS Identity Management in a colocated Infrastructure, refer to the following sections for information about post-upgrade tasks you should consider performing to help you manage and maintain the upgraded database:
Section 7.1.6, "Relocating the Database Datafiles, Control Files, and Log Files"
Section 7.1.7, "Configuring Oracle Enterprise Manager 10g Database Control"
|
Note: After you upgrade Release 2 (9.0.2) OracleAS Identity Management in a colocated Infrastructure, the upgraded database contains invalid objects and represents an unsupported configuration. As a result, you must run the Metadata Repository Upgrade Assistant (MRUA) immediately after the database upgrade.See Chapter 7, "Upgrading the OracleAS Metadata Repository" for more information about running MRUA. See Section 1.7, "Understanding Transitional, Stable, and Unsupported Configurations" for more information about transitional, stable, and unsupported configurations while upgrading to 10g Release 2 (10.1.2). |
If the OracleAS Identity Management you are upgrading is part of a non-colocated Infrastructure, you must upgrade the OracleAS Metadata Repository database first, before upgrading the OracleAS Identity Management installation.
The procedure you use to upgrade the database depends upon whether or not the database is a seed database or a OracleAS Metadata Repository Creation Assistant database.
Consider the following when upgrading a OracleAS Metadata Repository database in a non-colocated Infrastructure:
If the OracleAS Metadata Repository was installed in a seed database, as part of a 10g (9.0.4) OracleAS Metadata Repository installation, you can use Oracle Universal Installer to upgrade the database automatically.
On the other hand, if you used the OracleAS Metadata Repository Creation Assistant to create the OracleAS Metadata Repository, you must upgrade the database manually, using the standard Oracle database upgrade procedures.
Depending upon the OracleAS Identity Management configuration you are upgrading, you might be prompted to stop the database listener during the OracleAS Identity Management upgrade. Specifically, you should receive this prompt if you are upgrading a colocated Infrastructure, where the OracleAS Metadata Repository and OracleAS Identity Management are installed in the same Oracle home.
You should not stop the listener until you are prompted to do so. However, when such a prompt appears, use the lsnrctl utility to stop the database listener as follows:
Set the ORACLE_HOME environment variable to the Oracle home of the listener you want to stop.
Verify the version of the listener you are about to stop by entering the following command:
$ORACLE_HOME/bin/lsnrctl version
The lsnrctl utility displays information about the current database listener. Review the information to verify that you are stopping the correct listener.
Stop the listener by entering the following command:
$ORACLE_HOME/bin/lsnrctl stop
In summary, before you upgrade OracleAS Identity Management, the database that hosts the OracleAS Identity Management schemas must be a version of the database supported by 10g Release 2 (10.1.2.0.2).
For more information, refer to Section 7.1, "Task 1: Upgrade the Database That Hosts the OracleAS Metadata Repository". Information about database support requirements is also available in the Oracle Application Server Metadata Repository Creation Assistant User's Guide.
|
See Also: Section 7.1.2, "Using OracleMetaLink to Obtain the Latest Oracle Application Server Software Requirements" for information about obtaining the very latest information on the OracleAS Metadata Repository database requirements |
Before you begin upgrading your OracleAS Identity Management installation, perform a backup of the OracleAS Identity Management Oracle home, and perform a backup of the database that hosts the OracleAS Identity Management schemas.
The following sections describe how to perform the OracleAS Identity Management upgrade for the typical OracleAS Identity Management configurations.
Upgrading OracleAS Identity Management in a Colocated Infrastructure
Upgrading OracleAS Identity Management in a Non-Colocated 10g (9.0.4) Infrastructure
Upgrading Distributed OracleAS Identity Management Configurations
|
See Also: Chapter 6, "Additional OracleAS Identity Management Upgrade Procedures" for information about upgrading more advanced OracleAS Identity Management configurations |
If OracleAS Identity Management is installed as part of a colocated Infrastructure, you can use Oracle Universal Installer to do all of the following as part of the Oracle Application Server 10g Release 2 (10.1.2) installation procedure:
Upgrade the OracleAS Metadata Repository database.
Upgrade the OracleAS Identity Management program, configuration, and data files.
Upgrade the OracleAS Identity Management schemas in the OracleAS Metadata Repository.
To upgrade OracleAS Identity Management in a colocated Infrastructure Oracle home:
If you are upgrading from Release 2 (9.0.2), make sure you have applied the latest Release 2 (9.0.2) patchsets.
The OracleAS Identity Management upgrade procedures have been tested using the latest patchsets available from OracleMetaLink. Therefore, before you upgrade Release 2 (9.0.2) OracleAS Identity Management, apply the latest Oracle Application Server 9.0.2 patchsets.
The OracleMetaLink Web site is at the following URL:
http://metalink.oracle.com/
At the time this document was published the most recent Oracle9iAS patchset release was the Oracle9iAS 9.0.2.3 patchset (3038037). To locate this patchset, search for patch number 3038037 on OracleMetaLink.
|
Note: After applying Oracle9iAS 9.0.2.3 patchset (3038037), verify that the patchset was applied successfully before proceeding with the 10g Release 2 (10.1.2) upgrade. For example, verify that the Application Server Control, your deployed applications, and the components you use are functioning properly after you apply the patchset. |
Stop all the middle tiers that are using the services of the OracleAS Identity Management installation.
Log in to the computer on which Release 2 (9.0.2) or 10g (9.0.4) instance is installed, as the same operating system user that performed the Release 2 (9.0.2) or 10g (9.0.4) installation.
Make sure that the OracleAS Metadata Repository database and database listener are up and running.
Make sure the Oracle Internet Directory server is up and running.
To verify that Oracle Internet Directory is running, enter one of the following commands.
|
Note: You may have to temporarily set the ORACLE_HOME environment variable to the Oracle Internet Directory Oracle home before running theldapbind command.
After you verify that the Oracle Internet Directory is running, you must then make sure the ORACLE_HOME environment variable is not defined before you start the 10g Release 2 (10.1.2) installer, as directed in Step 6. |
If you are running Oracle Internet Directory on a non-secure port:
SOURCE_ORACLE_HOME/bin/ldapbind -p Non-SSL_port
If you are running Oracle Internet Directory on a secure port:
SOURCE_ORACLE_HOME/bin/ldapbind -p SSL_port -U 1
These commands should return a "bind successful" message.
|
See Also: "Syntax for LDIF and Command-Line Tools" in the Oracle Internet Directory Administrator's Guide for more information about theldapbind utility
|
|
Note: Oracle Internet Directory 10g (9.0.4) allows you to start and stop the directory service using OPMN or theoidctl utility.
Before upgrading a 10g (9.0.4) OracleAS Identity Management Oracle home that contains Oracle Internet Directory, start the Oracle Internet Directory instance using the The correct use of |
Set the required environment variables, as defined in the section "Environment Variables" in the "Requirements" chapter of the Oracle Application Server Installation Guide.
In particular, be sure to set following variables so they do not reference any Oracle home directories:
In addition, be sure the following environment variables are not set:
Mount the media and start the installer.
|
See Also: Oracle Application Server Installation Guide for detailed instructions about starting Oracle Universal Installer on your platform |
Refer to Table 5-1 for information on the options you should select on each screen.
After the End of Installation screen appears, exit Oracle Universal Installer and then verify that Oracle Internet Directory and Oracle Application Server Single Sign-On are functioning and accessible in the new 10g Release 2 (10.1.2) Oracle home.
|
See Also: Oracle Application Server Administrator's Guide, Chapter 1, "Accessing the Single Sign-On Server" |
If you are upgrading from Release 2 (9.0.2), immediately run the Metadata Repository Upgrade Assistant (MRUA) to upgrade the OracleAS Metadata Repository component schemas.
After you upgrade Release 2 (9.0.2) OracleAS Identity Management in a colocated Infrastructure, the upgraded database contains invalid objects and represents an unsupported configuration. As a result, you must run the Metadata Repository Upgrade Assistant (MRUA) immediately after the database upgrade.
|
See Also: Chapter 7, "Upgrading the OracleAS Metadata Repository" for more information about running MRUA.Section 1.7, "Understanding Transitional, Stable, and Unsupported Configurations" for more information about transitional, stable, and unsupported configurations while upgrading to 10g Release 2 (10.1.2). |
Table 5-1 Summary of the Oracle Universal Installer Screens During the OracleAS Identity Management Upgrade in a Colocated infrastructure
| Screen | Description and Recommended Options to Select |
|---|---|
|
Welcome |
Welcomes you to Oracle Universal Installer and the Oracle Application Server 10g Release 2 (10.1.2) installation procedure. |
|
Specify File Locations |
Enter a name and path for the new Oracle home. This new Oracle home will be the destination Oracle home for your Oracle Application Server 10g Release 2 (10.1.2) upgrade. |
|
Select a Product to Install |
Select Oracle Application Server Infrastructure 10g. If multiple languages are used in the OracleAS Infrastructure you are upgrading, then click Product Languages. |
|
Language Selection |
The screen appears only if you clicked Product Languages on the Select a Product to Install screen. If multiple languages are used in the OracleAS Infrastructure you are upgrading, select those languages. If you are not sure which languages were installed, but want languages other than English, click the double arrow button (>>) to select all languages. |
|
Select Installation Type |
Select Identity Management and Metadata Repository. Note: It is very important that you select the same installation type that is used in the Oracle home you are upgrading. |
|
Upgrade Existing Infrastructure |
This screen appears when Oracle Universal Installer detects an existing Oracle Application Server installation of the same type as the one you selected on the Select Installation Type screen. Select the option to upgrade an existing OracleAS Infrastructure, and then select the Oracle home you want to upgrade from the drop-down list. (If there is only one Infrastructure of the selected time on the computer, then the drop-down list is inactive.) Figure 5-5 shows an example of the Upgrade Existing Infrastructure screen when you are upgrading from a Release 2 (9.0.2) OracleAS Infrastructure. |
|
Specify Oracle Internet Directory Login |
Enter the Oracle Internet Directory superuser distinguished name (DN) in the Username field. The superuser DN Enter the password for the superuser DN in the Password field. |
|
Specify Infrastructure Database Connection Information |
Enter |
|
Warning dialog box |
This dialog box warns you that all the clients of the OracleAS Metadata Repository database must now be stopped. Oracle Universal Installer will automatically stop any clients within the source Oracle home.Foot 1 However, you must manually stop any database clients and OracleAS Metadata Repository clients that reside in another Oracle home. Clients of the OracleAS Metadata Repository include:
Within each middle tier that uses this OracleAS Metadata Repository, you must be sure to stop all components, including Oracle HTTP Server and OracleAS Web Cache. For more information, see the chapter "Starting and Stopping " in the Oracle Application Server Administrator's Guide. |
|
Database Listener Warning Dialog Box |
Review the dialog box determine whether or not you need to stop the listener manually. For more information, see Section 5.3.3, "Stopping the Database Listener When Prompted During the OracleAS Identity Management Upgrade". |
|
Specify Instance Name and ias_admin Password |
Enter a name for the new Oracle Application Server 10g Release 2 (10.1.2) instance and a password for the You use the In general, the minimum length of the For more information, see the section "The ias_admin User and Restrictions on its Password" in the Oracle Application Server Installation Guide. |
|
Summary |
Use this screen to confirm the choices you've made. Click Install to begin upgrading to the new 10g Release 2 (10.1.2) Oracle home. A dialog box appears when the copying is complete. This dialog box prompts you to run a configuration script as the root user. Follow the instructions in the dialog box and click OK when the script is finished. |
|
The Configuration Assistants |
After the initial software is installed, a set of configuration assistants automatically set up the components in the new 10g Release 2 (10.1.2) Oracle home. Use this screen to follow the progress of each assistant and to identify any problems during this phase of the installation. Notes:
|
|
End of Installation |
When the installation and upgrade is complete, this screen provides important details about the 10g Release 2 (10.1.2) Oracle home, such as the URL for the Application Server Control Console and the location of the After you review the information on this screen, you can exit Oracle Universal Installer and proceed to the post-upgrade tasks. |
shutdownprocesses.log file, which is located in the cfgtoollogs directory in the destination Oracle home.Figure 5-5 Upgrade Existing OracleAS Infrastructure Screen
To upgrade OracleAS Identity Management in a non-colocated Infrastructure, you use Oracle Universal Installer just as you do when OracleAS Identity Management is in a colocated Infrastructure.
This section applies only to 10g (9.0.4) OracleAS Identity Management upgrades; Release 2 (9.0.2) did not support non-colocated Infrastructure installations.
Before you can upgrade OracleAS Identity Management in a non-colocated Infrastructure, you must verify that the OracleAS Metadata Repository that hosts the OracleAS Identity Management schemas is running in a supported version of the Oracle database.
If the OracleAS Metadata Repository is not hosted by a supported database version, you must upgrade the database. The method you use to upgrade the OracleAS Metadata Repository database varies, depending upon whether the database is a seed database or a OracleAS Metadata Repository Creation Assistant database.
After you determine whether or not the database is a seed database or an OracleAS Metadata Repository Creation Assistant database, you can upgrade the database by following the instructions for upgrading the OracleAS Metadata Repository database.
To upgrade OracleAS Identity Management in a non-colocated Infrastructure:
Verify that the version of the database that hosts the OracleAS Identity Management schemas is a supported version for 10g Release 2 (10.1.2) OracleAS Identity Management.
The OracleAS Identity Management schemas are stored in an OracleAS Metadata Repository.
If necessary, upgrade the database by using the instructions in Section 7.1, "Task 1: Upgrade the Database That Hosts the OracleAS Metadata Repository".
Make sure that the OracleAS Metadata Repository database and database listener are up and running.
Log in to the computer on which the 10g (9.0.4) instance is installed, as the same operating system user that performed the 10g (9.0.4) installation.
Make sure the Oracle Internet Directory server is up and running.
To verify that Oracle Internet Directory is running, enter one of the following commands.
|
Note: You may have to temporarily set the ORACLE_HOME environment variable to the Oracle Internet Directory Oracle home before running theldapbind command.
After you verify that the Oracle Internet Directory is running, you must then make sure the ORACLE_HOME environment variable is not defined before you start the 10g Release 2 (10.1.2) installer, as directed in Step 6. |
If you are running Oracle Internet Directory on a non-secure port:
SOURCE_ORACLE_HOME/bin/ldapbind -p Non-SSL_port
If you are running Oracle Internet Directory on a secure port:
SOURCE_ORACLE_HOME/bin/ldapbind -p SSL_port -U 1
These commands should return a "bind successful" message.
|
See Also: "Syntax for LDIF and Command-Line Tools" in the Oracle Internet Directory Administrator's Guide for more information about theldapbind utility
|
Be sure to set the environment variables, as defined in the section "Environment Variables" in the "Requirements" chapter of the Oracle Application Server Installation Guide.
In particular, be sure to set following variables so they do not reference any Oracle home directories:
PATH
CLASSPATH
LD_LIBRARY_PATH
SHLIB_PATH
In addition, be sure the following environment variables are not set:
TNS_ADMIN
ORACLE_HOME
ORACLE_SID
Mount the Oracle Application Server 10g Release 2 (10.1.2) CD–ROM and start the installer.
|
See Also: Oracle Application Server Installation Guide for detailed instructions about starting Oracle Universal Installer on your platform |
Refer to Table 5-2 for information on the options you should select on each screen.
After the End of Installation screen appears, exit Oracle Universal Installer and then verify that Oracle Internet Directory and Oracle Application Server Single Sign-On are functioning and accessible in the new 10g Release 2 (10.1.2) Oracle home.
|
See Also: Oracle Application Server Administrator's Guide, Chapter 1, "Accessing the Single Sign-On Server" |
Table 5-2 Summary of the Oracle Universal Installer Screens During the OracleAS Identity Management Upgrade in a 10g (9.0.4) Non-Colocated infrastructure
| Screen | Description and Recommended Options to Select |
|---|---|
|
Welcome |
Welcomes you to Oracle Universal Installer and the Oracle Application Server 10g Release 2 (10.1.2) installation procedure. |
|
Specify File Locations |
Enter a name and path for the new Oracle home. This new Oracle home will be the destination Oracle home for your Oracle Application Server 10g Release 2 (10.1.2) upgrade. |
|
Select a Product to Install |
Select OracleAS Infrastructure 10g. If multiple languages are used in the OracleAS Infrastructure you are upgrading, then click Product Languages. |
|
Language Selection |
The screen appears only if you clicked Product Languages on the Select a Product to Install screen. If multiple languages are used in the OracleAS Infrastructure you are upgrading, select those languages. If you are not sure which languages were installed, but want languages other than English, click the double arrow button (>>) to select all languages. |
|
Select Installation Type |
Select Identity Management. Note: It is very important that you select the same installation type that is used in the Oracle home you are upgrading. |
|
Upgrade Existing Infrastructure |
This screen (Figure 5-5) appears when Oracle Universal Installer detects an existing Oracle Application Server installation of the same type as the one you selected on the Select Installation Type screen. Select the option to upgrade an existing OracleAS Infrastructure, and then select the Oracle home you want to upgrade from the drop-down list. (If there is only one Infrastructure of the selected time on the computer, then the drop-down list is inactive.) |
|
Specify OID Login |
Enter the Oracle Internet Directory superuser distinguished name (DN) in the Username field. The superuser DN Enter the password for the superuser DN in the Password field. |
|
Specify Infrastructure Database Connection Information |
Enter |
|
Warning dialog box |
This dialog box warns you that all the clients of the OracleAS Identity Management installation must now be stopped. Oracle Universal Installer will automatically stop any clients within the source Oracle home automatically.Foot 1 However, you must manually stop any OracleAS Identity Management clients that reside in another Oracle home Clients of an OracleAS Identity Management instance include:
Within each middle tier that uses this OracleAS Identity Management instance, you must be sure to stop all components, including Oracle HTTP Server and OracleAS Web Cache. For more information, see the chapter "Starting and Stopping " in the Oracle Application Server Administrator's Guide. |
|
Database Listener Warning Dialog Box |
If a database listener is running on the host, a warning dialog box displays. Review the dialog box determine whether or not you need to stop the listener manually. For more information, see Section 5.3.3, "Stopping the Database Listener When Prompted During the OracleAS Identity Management Upgrade". |
|
Specify Instance Name and ias_admin Password |
Enter a name for the new Oracle Application Server 10g Release 2 (10.1.2) instance and a password for the You use the In general, the minimum length of the For more information, see the section "The ias_admin User and Restrictions on its Password" in the Oracle Application Server Installation Guide. |
|
Summary |
Use this screen to confirm the choices you've made. Click Install to begin upgrading to the new 10g Release 2 (10.1.2) Oracle home. The install screen shows you the progress of the installation as it copies files to your local disk. On UNIX systems, a dialog box appears when the copying is complete. This dialog box prompts you to run a configuration script as the root user. Follow the instructions in the dialog box and click OK when the script is finished. |
|
The Configuration Assistants |
After the initial software is installed, a set of configuration assistants automatically set up the components in the new 10g Release 2 (10.1.2) Oracle home. Use this screen to follow the progress of each assistant and to identify any problems during this phase of the installation. |
|
End of Installation |
When the installation and upgrade is complete, this screen provides important details about the 10g Release 2 (10.1.2) Oracle home, such as the URL for the Application Server Control Console and the location of the After you review the information on this screen, you can exit Oracle Universal Installer and proceed to the post-upgrade tasks. |
shutdownprocesses.log file, which is located in the cfgtoollogs directory in the destination Oracle home.The following sections describe how to upgrade a distributed OracleAS Identity Management configuration:
Upgrading Release 2 (9.0.2) Distributed OracleAS Identity Management Configurations
Upgrading 10g (9.0.4) Distributed OracleAS Identity Management Configurations
Verifying Whether OracleAS Identity Management Components are Enabled or Disabled
Enabling Secure Sockets Layer (SSL) for OracleAS Identity Management Components
A distributed OracleAS Identity Management configuration consists of multiple Oracle homes. One of the Oracle homes contains the Oracle Internet Directory.
In a Release 2 (9.0.2) distributed OracleAS Identity Management installation, the other Oracle home contains OracleAS Single Sign-On and its own OracleAS Metadata Repository (Figure 5-2).
To upgrade a Release 2 (9.0.2) distributed OracleAS Identity Management configuration:
Review Section 5.5.3.3, "Verifying Whether OracleAS Identity Management Components are Enabled or Disabled" to determine exactly which OracleAS Identity Management components will be upgraded.
Use the procedure in Section 5.5.1, "Upgrading OracleAS Identity Management in a Colocated Infrastructure" to upgrade the Oracle home that includes the Oracle Internet Directory and its OracleAS Metadata Repository.
You must upgrade the Oracle Internet Directory first before upgrading the other distributed OracleAS Identity Management components.
|
Note: If you are running only Oracle Internet Directory from the Oracle home, check to be sure the other OracleAS Identity Management components are disabled so they will not be upgraded or started in the destination 10g Release 2 (10.1.2) Oracle home.For more information, see Section 5.5.3.3, "Verifying Whether OracleAS Identity Management Components are Enabled or Disabled". |
Make sure you have applied the latest Release 2 (9.0.2) patchsets to the OracleAS Identity Management Oracle home you are about to upgrade.
The OracleAS Identity Management upgrade procedures have been tested using the latest patchsets available from OracleMetaLink. As a result, before you upgrade Release 2 (9.0.2) OracleAS Identity Management, apply the latest Oracle Application Server 9.0.2 patchsets.
The OracleMetaLink Web site is at the following URL:
http://metalink.oracle.com/
At the time this document was published the most recent Oracle9iAS patchset release was the Oracle9iAS 9.0.2.3 patchset (3038037). To locate this patchset, search for patch number 3038037 on OracleMetaLink.
|
Note: After applying Oracle9iAS 9.0.2.3 patchset (3038037), verify that the patchset was applied successfully before proceeding with the 10g Release 2 (10.1.2) upgrade. For example, verify that the Application Server Control, your deployed applications, and the components you use are functioning properly after you apply the patchset. |
Make sure that the OracleAS Metadata Repository database being used by Oracle Application Server Single Sign-On and its database listener are up and running.
Log in to the computer on which the other distributed OracleAS Identity Management components are installed, as the same operating system user that performed the Release 2 (9.0.2) installation.
Make sure the Oracle Internet Directory Server has been upgraded to 10g Release 2 (10.1.2) and that it is up and running.
To verify that Oracle Internet Directory is running, enter one of the following commands.
|
Note: You may have to temporarily set the ORACLE_HOME environment variable to the Oracle Internet Directory Oracle home before running theldapbind command.
After you verify that the Oracle Internet Directory is running, you must then make sure the ORACLE_HOME environment variable is not defined before you start the 10g Release 2 (10.1.2) installer, as directed in Step 6. |
If you are running Oracle Internet Directory on a non-secure port:
SOURCE_ORACLE_HOME/bin/ldapbind -p Non-SSL_port
If you are running Oracle Internet Directory on a secure port:
SOURCE_ORACLE_HOME/bin/ldapbind -p SSL_port -U 1
These commands should return a "bind successful" message.
|
See Also: "Syntax for LDIF and Command-Line Tools" in the Oracle Internet Directory Administrator's Guide for more information about theldapbind utility
|
Be sure to set the environment variables, as defined in the section "Environment Variables" in the "Requirements" chapter of the Oracle Application Server Installation Guide.
In particular, be sure to set following variables so they do not reference any Oracle home directories:
In addition, be sure the following environment variables are not set:
Mount the Oracle Application Server 10g Release 2 (10.1.2) CD–ROM and start the installer.
|
See Also: Oracle Application Server Installation Guide for detailed instructions about starting Oracle Universal Installer on your platform |
Refer to Table 5-3 for information on the options you should select on each screen.
After the End of Installation screen appears, exit Oracle Universal Installer and then verify that Oracle Internet Directory and Oracle Application Server Single Sign-On are functioning and accessible in the new 10g Release 2 (10.1.2) Oracle home.
|
See Also: "Accessing the Single Sign-On Server" in the Oracle Application Server Single Sign-On Administrator's Guide |
Table 5-3 Summary of the Oracle Universal Installer Screens During a Release 2 (9.0.2) Distributed OracleAS Identity Management Upgrade
| Screen | Description and Recommended Options to Select |
|---|---|
|
Welcome |
Welcomes you to Oracle Universal Installer and the Oracle Application Server 10g Release 2 (10.1.2) installation procedure. |
|
Specify File Locations |
Enter a name and path for the new Oracle home. This new Oracle home will be the destination Oracle home for your Oracle Application Server 10g Release 2 (10.1.2) upgrade. |
|
Select a Product to Install |
Select Oracle Application Server Infrastructure 10g. If multiple languages are used in the OracleAS Infrastructure you are upgrading, then click Product Languages. |
|
Language Selection |
The screen appears only if you clicked Product Languages on the Select a Product to Install screen. If multiple languages are used in the OracleAS Infrastructure you are upgrading, select those languages. If you are not sure which languages were installed, but want languages other than English, click the double arrow button (>>) to select all languages. |
|
Select Installation Type |
Select Identity Management and Metadata Repository. Note: It is very important that you select the same installation type that is used in the Oracle home you are upgrading. In this case, the Release 2 (9.0.2) OracleAS Single Sign-On installation includes its own OracleAS Metadata Repository, so you must select the colocated OracleAS Identity Management and OracleAS Metadata Repository installation type. |
|
Upgrade Existing Infrastructure |
This screen (Figure 5-5) appears when Oracle Universal Installer detects an existing Oracle Application Server installation of the same type as the one you selected on the Select Installation Type screen. Select the option to upgrade an existing OracleAS Infrastructure, and then select the Oracle home you want to upgrade from the drop-down list. (If there is only one Infrastructure of the selected time on the computer, then the drop-down list is inactive.) |
|
Specify Oracle Internet Directory Login |
Enter the Oracle Internet Directory superuser distinguished name (DN) in the Username field. The superuser DN Enter the password for the superuser DN in the Password field. |
|
Specify Infrastructure Database Connection Information |
Enter These are the login credentials for the database installed in the OracleAS Single Sign-On Oracle home. See Figure 5-2, "Distributed Identity Management in Release 2 (9.0.2)". |
|
Specify OID Database Login |
Enter SYS in the Username field and the SYS user's password for the Oracle Internet Directory database in the Password field. These are login credentials for the database where Oracle Internet Directory has been installed. See Figure 5-2, "Distributed Identity Management in Release 2 (9.0.2)". |
|
Warning dialog box |
This dialog box warns you that all the clients of the OracleAS Identity Management installation must now be stopped. Oracle Universal Installer will automatically stop any clients within the source Oracle home automatically.Foot 1 However, you must manually stop any OracleAS Identity Management clients that reside in another Oracle home Clients of an OracleAS Identity Management instance include:
Within each middle tier that uses this OracleAS Identity Management instance, you must be sure to stop all components, including Oracle HTTP Server and OracleAS Web Cache. For more information, see the chapter "Starting and Stopping " in the Oracle Application Server Administrator's Guide. |
|
Database Listener Warning Dialog Box |
If a database listener is running on the host, a warning dialog box displays. Review the dialog box determine whether or not you need to stop the listener manually. For more information, see Section 5.3.3, "Stopping the Database Listener When Prompted During the OracleAS Identity Management Upgrade". |
|
Specify Instance Name and ias_admin Password |
Enter a name for the new Oracle Application Server 10g Release 2 (10.1.2) instance and a password for the You use the In general, the minimum length of the For more information, see the section "The ias_admin User and Restrictions on its Password" in the Oracle Application Server Installation Guide. |
|
Summary |
Use this screen to confirm the choices you've made. Click Install to begin upgrading to the new 10g Release 2 (10.1.2) Oracle home. On UNIX systems, a dialog box appears when the copying is complete. This dialog box prompts you to run a configuration script as the root user. Follow the instructions in the dialog box and click OK when the script is finished. |
|
The Configuration Assistants |
After the initial software is installed, a set of configuration assistants automatically set up the components in the new 10g Release 2 (10.1.2) Oracle home. Use this screen to follow the progress of each assistant and to identify any problems during this phase of the installation. Notes:
|
|
End of Installation |
When the installation and upgrade is complete, this screen provides important details about the 10g Release 2 (10.1.2) Oracle home, such as the URL for the Application Server Control Console and the location of the After you review the information on this screen, you can exit Oracle Universal Installer and proceed to the post-upgrade tasks. |
shutdownprocesses.log file, which is located in the cfgtoollogs directory in the destination Oracle home.A distributed OracleAS Identity Management configuration consists of multiple Oracle homes. One of the Oracle homes contains the Oracle Internet Directory.
In a 10g (9.0.4) distributed OracleAS Identity Management installation, the other Oracle homes contain additional OracleAS Identity Management components, such as OracleAS Single Sign-On, Delegated Administration Services, Oracle Directory Integration and Provisioning, and OracleAS Certificate Authority.
To upgrade a 10g (9.0.4) distributed OracleAS Identity Management configuration (as shown in Figure 5-3), do the following:
Review Section 5.5.3.3, "Verifying Whether OracleAS Identity Management Components are Enabled or Disabled" to determine exactly which OracleAS Identity Management components will be upgraded.
Synchronize the system clocks on all nodes where the OracleAS Identity Management components reside so they are running within 250 seconds of each other.
When synchronizing the system clocks, make sure the clocks are set to the same time zone.
Upgrade the Oracle home that includes the Oracle Internet Directory used by the other OracleAS Identity Management components.
You must upgrade the Oracle Internet Directory first before upgrading the other distributed OracleAS Identity Management components.
To upgrade the Oracle Internet Directory Oracle home, use one of the following procedures, depending upon the type of installation used for the Oracle Internet Directory Oracle home:
If the Oracle Internet Directory Oracle home includes its OracleAS Metadata Repository, then use the procedure in Section 5.5.1, "Upgrading OracleAS Identity Management in a Colocated Infrastructure"
If the Oracle Internet Directory is in its own Oracle home, and the its OracleAS Metadata Repository resides in a different Oracle home, use the procedure in Section 5.5.2, "Upgrading OracleAS Identity Management in a Non-Colocated 10g (9.0.4) Infrastructure"
|
Note: If you are running only Oracle Internet Directory from the Oracle home, check to be sure the other OracleAS Identity Management components are disabled so they will not be upgraded or started in the destination 10g Release 2 (10.1.2) Oracle home.For more information, see Section 5.5.3.3, "Verifying Whether OracleAS Identity Management Components are Enabled or Disabled". |
Make sure that the OracleAS Metadata Repository database and database listener used by the distributed components are up and running.
Log in to the computer on which the distributed OracleAS Identity Management components are installed, as the same operating system user that performed the 10g (9.0.4) installation.
|
Note: You must be logged in as a member of thedba operating system group.
|
Make sure the Oracle Internet Directory server is upgraded to 10g Release 2 (10.1.2) and that it is up and running.
To verify that Oracle Internet Directory is running, enter one of the following commands.
|
Note: You may have to temporarily set the ORACLE_HOME environment variable to the Oracle Internet Directory Oracle home before running theldapbind command.
After you verify that the Oracle Internet Directory is running, you must then make sure the ORACLE_HOME environment variable is not defined before you start the 10g Release 2 (10.1.2) installer, as directed in Step 6. |
If you are running Oracle Internet Directory on a non-secure port:
SOURCE_ORACLE_HOME/bin/ldapbind -p Non-SSL_port
If you are running Oracle Internet Directory on a secure port:
SOURCE_ORACLE_HOME/bin/ldapbind -p SSL_port -U 1
These commands should return a "bind successful" message.
Be sure to set the environment variables, as defined in the section "Environment Variables" in the "Requirements" chapter of the Oracle Application Server Installation Guide.
In particular, be sure to set following variables so they do not reference any Oracle home directories:
In addition, be sure the following environment variables are not set:
Mount the Oracle Application Server 10g Release 2 (10.1.2) CD–ROM and start the installer.
|
See Also: Oracle Application Server Installation Guide for detailed instructions about starting Oracle Universal Installer on your platform |
Refer to Table 5-4 for information on the options you should select on each screen.
After the End of Installation screen appears, exit Oracle Universal Installer and then verify that Oracle Internet Directory and Oracle Application Server Single Sign-On are functioning and accessible.
|
See Also: "Accessing the Single Sign-On Server" in the Oracle Application Server Single Sign-On Administrator's Guide |
Table 5-4 Summary of the Oracle Universal Installer Screens During a 10g (9.0.4) Distributed OracleAS Identity Management Upgrade
| Screen | Description and Recommended Options to Select |
|---|---|
|
Welcome |
Welcomes you to Oracle Universal Installer and the Oracle Application Server 10g Release 2 (10.1.2) installation procedure. |
|
Specify File Locations |
Enter a name and path for the new Oracle home. This new Oracle home will be the destination Oracle home for your Oracle Application Server 10g Release 2 (10.1.2) upgrade. |
|
Select a Product to Install |
Select Oracle Application Server Infrastructure 10g. If multiple languages are used in the OracleAS Infrastructure you are upgrading, then click Product Languages. |
|
Language Selection |
The screen appears only if you clicked Product Languages on the Select a Product to Install screen. If multiple languages are used in the OracleAS Infrastructure you are upgrading, select those languages. If you are not sure which languages were installed, but want languages other than English, click the double arrow button (>>) to select all languages. |
|
Select Installation Type |
Select Identity Management or Identity Management and Metadata Repository, depending upon the installation type you selected when you installed the distributed OracleAS Identity Management components. Note: It is very important that you select the same installation type that is used in the Oracle home you are upgrading. In this case, you are upgrading a non-colocated OracleAS Identity Management installation, so you must select Identity Management. |
|
Upgrade Existing Infrastructure |
This screen (Figure 5-5) appears when Oracle Universal Installer detects an existing Oracle Application Server installation of the same type as the one you selected on the Select Installation Type screen. Select the option to upgrade an existing OracleAS Infrastructure, and then select the Oracle home you want to upgrade from the drop-down list. (If there is only one Infrastructure of the selected time on the computer, then the drop-down list is inactive.) |
|
Specify OID Login |
Enter the Oracle Internet Directory superuser distinguished name (DN) in the Username field. The superuser DN Enter the password for the superuser DN in the Password field. |
|
Specify Infrastructure Database Connection Information |
Enter |
|
Warning dialog box |
This dialog box warns you that all the clients of the OracleAS Identity Management installation must now be stopped. Oracle Universal Installer will automatically stop any clients within the source Oracle home automatically.Foot 1 However, you must manually stop any OracleAS Identity Management clients that reside in another Oracle home Clients of an OracleAS Identity Management instance include:
Within each middle tier that uses this OracleAS Identity Management instance, you must be sure to stop all components, including Oracle HTTP Server and OracleAS Web Cache. For more information, see the chapter "Starting and Stopping " in the Oracle Application Server Administrator's Guide. |
|
Database Listener Warning Dialog Box |
If a database listener is running on the host, a warning dialog box displays. Review the dialog box determine whether or not you need to stop the listener manually. For more information, see Section 5.3.3, "Stopping the Database Listener When Prompted During the OracleAS Identity Management Upgrade". |
|
Specify Instance Name and ias_admin Password |
Enter a name for the new Oracle Application Server 10g Release 2 (10.1.2) instance and a password for the You use the In general, the minimum length of the For more information, see the section "The ias_admin User and Restrictions on its Password" in the Oracle Application Server Installation Guide. |
|
Summary |
Use this screen to confirm the choices you've made. Click Install to begin upgrading to the new 10g Release 2 (10.1.2) Oracle home. On UNIX systems, a dialog box appears when the copying is complete. This dialog box prompts you to run a configuration script as the root user. Follow the instructions in the dialog box and click OK when script is finished. |
|
The Configuration Assistants |
After the initial software is installed, a set of configuration assistants automatically set up the components in the new 10g Release 2 (10.1.2) Oracle home. Use this screen to follow the progress of each assistant and to identify any problems during this phase of the installation. Notes:
|
|
End of Installation |
When the installation and upgrade is complete, this screen provides important details about the 10g Release 2 (10.1.2) Oracle home, such as the URL for the Application Server Control Console and the location of the After you review the information on this screen, you can exit Oracle Universal Installer and proceed to the post-upgrade tasks. |
shutdownprocesses.log file, which is located in the cfgtoollogs directory in the destination Oracle home.When you upgrade a distributed OracleAS Identity Management configuration, the 10g Release 2 (10.1.2) installer will upgrade any OracleAS Identity Management components that are enabled in the source Oracle home.
An OracleAS Identity Management component is considered enabled when it is marked as such in the following configuration file in the source Oracle home:
SOURCE_ORACLE_HOME/config/ias.properties
Before you upgrade your Oracle Internet Directory installation in a distributed OracleAS Identity Management configuration, you can check the contents of this file to verify which components are enabled. If necessary, modify the entries to reflect exactly which components you have enabled, and as a result, which components will be upgraded.
The entries in the ias.properties file vary, depending upon whether you are upgrading a Release 2 (9.0.2) Oracle home or a 10g (9.0.4) Oracle home. Refer to the following sections for more information:
Verifying Enabled OracleAS Identity Management Components in a Release 2 (9.0.2) Oracle Home
Verifying Enabled OracleAS Identity Management Components in a 10g (9.0.4) Oracle Home
If you are running only Oracle Internet Directory in a Release 2 (9.0.2) Oracle home, the ias.properties file should contain the following entries:
SSO.LaunchSuccess=False OID.LaunchSuccess=True
If there were other OracleAS Identity Management components configured in the Release 2 (9.0.2) source Oracle home after Release 2 (9.0.2) was installed, those other components, such as Oracle Delegated Administration Services (DAS), will not be upgraded to 10g Release 2 (10.1.2) in the destination Oracle home. If you want to run those other components in the 10g Release 2 (10.1.2) home, configure those components to the 10g Release 2 (10.1.2) destination Oracle home.
If you are running only Oracle Internet Directory in a 10g (9.0.4) Oracle home, the ias.properties file should contain the following entries:
SSO.LaunchSuccess=False OID.LaunchSuccess=True DAS.LaunchSuccess=False DIP.LaunchSuccess=False OCA.LaunchSuccess=False
On the other hand, if you are running OracleAS Single Sign-On, Oracle Delegated Administration Services, and Oracle Directory Integration and Provisioning in one Oracle home, but using Oracle Internet Directory in another Oracle home, the entries would appear as follows:
SSO.LaunchSuccess=True OID.LaunchSuccess=False DAS.LaunchSuccess=True DIP.LaunchSuccess=True OCA.LaunchSuccess=False
This section details the post-upgrade procedures which will complete the Infrastructure upgrade to 10g Release 2 (10.1.2). It is organized into these sections:
Section 5.6.1, "Verifying the Application Server Control Console Port"
Section 5.6.2, "About Administration Passwords After Upgrade"
Section 5.6.3, "Enabling Secure Sockets Layer (SSL) for OracleAS Identity Management Components"
Section 5.6.4, "Completing the Oracle Internet Directory Upgrade"
Section 5.6.5, "Completing the OracleAS Single Sign-On Upgrade"
Section 5.6.6, "Completing the Oracle Application Server Certificate Authority Upgrade"
After you upgrade your OracleAS Identity Management, you can use the Oracle Enterprise Manager 10g Application Server Control Console to manage the upgraded 10g Release 2 (10.1.2) OracleAS Identity Management instance.
However, the port used for the Application Server Control Console will be the port assigned by Oracle Universal Installer during the 10g Release 2 (10.1.2) installation. You will not be able to use the port number that was previously used by Enterprise Manager in the source Oracle home.
|
See Also: Section 4.6.1, "About Port Values and the portlist.ini File After Upgrade" for information about how port numbers are changed during the upgrade process"Managing Ports" in the Oracle Application Server Administrator's Guide for information about changing the Application Server Control Console port after upgrade |
After you upgrade your Oracle Application Server instance, use the following passwords in the destination Oracle home:
To log in to the Application Server Control Console, use the ias_admin password you defined during the installation of the destination Oracle home.
To log in to the OracleAS Web Cache Manager, use the OracleAS Web Cache Administrator password you used in the OracleAS Web Cache source Oracle home.
If you are upgrading distributed OracleAS Identity Management components that were configured to use SSL, you must re-enable SSL for the OracleAS Single Sign-On and Oracle Delegated Administration Services after the upgrade. For more information, see the following sections:
There is no need to enable SSL for Oracle Internet Directory, since the upgrade procedure automatically re-enables SSL for Oracle Internet Directory in the destination Oracle home if you were using SSL with Oracle Internet Directory in the source Oracle home.
To enable SSL for OracleAS Single Sign-On, use the procedure described in the section "Enabling SSL" in the "Advanced Deployment Options" chapter of the Oracle Application Server Single Sign-On Administrator's Guide.
In particular, you must perform the following steps as described in that section of the Oracle Application Server Single Sign-On Administrator's Guide:
Enable SSL on the Single Sign-On middle tier.
Protect Single Sign-On URLs.
Restart the Oracle HTTP Server and the Single Sign-On Middle Tier.
Register mod_osso with the SSL virtual host as documented in the section "Configuring mod_osso with Virtual Hosts" in the Oracle Application Server Single Sign-On Administrator's Guide.
If you have also configured Oracle Delegated Administration Services in the upgraded Oracle home, you must reconfigure the Oracle Delegated Administration Services URL.
To reconfigure the Oracle Delegated Administration Services URL:
Start the Oracle Directory Manager in the Oracle Delegated Administration Services Oracle home:
ORACLE_HOME/bin/oidadmin
Use the Navigator Pane to expand the directory tree until you locate the following entry:
cn=OperationUrls,cn=DAS,cn=Products,cn=OracleContext
Select the entry in the tree.
Oracle Directory Manager displays the attributes of the entry in the right pane of the Directory Manager window.
Change the orcldasurlbase attribute so it references the HTTPS, SSL URL for the Oracle Delegated Administration Services:
https://hostname:http_ssl_port_number/
For example:
https://mgmt42.acme.com:4489/
|
See Also: "Using Oracle Directory Manager" in the Oracle Internet Directory Administrator's Guide |
To complete the Oracle Internet Directory Upgrade, you must perform the following tasks:
Section 5.6.4.1, "Running the oidpu904.sql Script to Recreate the orclnormdn Catalog"
Section 5.6.4.2, "Running the Certificate Upgrade Tool (upgradecert.pl)"
Section 5.6.4.4, "Modifying Access Policies After Oracle Internet Directory Upgrade"
Section 5.6.4.5, "Resetting the Replication Wallet Password"
Section 5.6.4.6, "Completing the Upgrade for the Oracle Directory Integration and Provisioning"
Section 5.6.4.7, "Oracle Internet Directory Post-Upgrade Steps Required for OracleAS Portal"
Section 5.6.4.9, "Modifying DSA Configuration Entries After Upgrade"
Section 5.6.4.10, "Recreating Oracle Internet Directory Indexes After Upgrade"
After you upgrade Oracle Internet Directory from Release 2 (9.0.2) to 10g Release 2 (10.1.2), you must run the oidpu904.sql script and recreate the orclnormdn catalog in the Oracle Internet Directory; otherwise, some Oracle Application Server components will not work correctly with the Oracle Internet Directory server.
Note that this procedure is not necessary if you have upgraded from Oracle Internet Directory 10g (9.0.4).
To perform this procedure:
Ensure that the ORACLE_HOME environment variable is set to destination Oracle home and the ORACLE_SID environment variable is set to the system identifier (SID) of the Infrastructure database.
Run following command:
sqlplus ods/ods_password@net_service_name_for_OID_database @DESTINATION_ORACLE_HOME/ldap/admin/oidpu904.sql
For example:
sqlplus ods/welcome1@iasdb @DESTINATION_ORACLE_HOME/ldap/admin/oidpu904.sql
Re-create the index for the orclnormdn attribute by executing the catalog.sh script, which drops and re-creates the catalog for the orclnormdn attribute.
Ensure that the Oracle Internet Directory server is operating in read-only mode.
To set the server to read-only mode, first create an LDIF file named readonly.ldif that contains the following lines:
dn: changetype:modify replace:orclservermode orclservermode:r
Then, run the following command:
ORACLE_HOME/bin/ldapmodify -p oid_port -D cn=orcladmin -w orcladmin_passwd -v -f readonly.ldif
In the example, replace oid_port with the listening port of the directory server and replace orcladmin_password with the password of the superuser DN (cn=orcladmin).
Set the PATH variable to include the DESTINATION_ORACLE_HOME/bin directory.
Issue these commands to re-create the index for the orclnormdn attribute:
DESTINATION_ORACLE_HOME/ldap/bin/catalog.sh -connect oid_database_net_service_name -delete -attr orclnormdn DESTINATION_ORACLE_HOME/ldap/bin/catalog.sh -connect oid_database_net_service_name -add -attr orclnormdn
Reset the Oracle Internet Directory server to operate in read-write mode.
To set the server to read-write mode, first create an LDIF file named readwrite.ldif that contains the following lines:
dn: changetype:modify replace:orclservermode orclservermode:rw
Then, run the following command:
ORACLE_HOME/bin/ldapmodify -p oid_port -D cn=orcladmin -w orcladmin_passwd -v -f readwrite.ldif
In the example, replace oid_port with the listening port of the directory server and replace orcladmin_password with the password of the superuser DN (cn=orcladmin).
Starting with release 10.1.2, a certificate hash value can be used to bind to Oracle Internet Directory. The introduction of this hash value requires that user certificates issued before release 10.1.2 be updated in the directory. This is a post-upgrade step and it is required only if user certificates are provisioned in the directory. The upgradecert.pl tool is used for this purpose.
Complete instructions for running the Certificate Upgrade Tool are available in Appendix A, "Syntax for LDIF and Command-Line Tools," in the Oracle Internet Directory Administrator's Guide.
Before you can use Release 2 (9.0.2) middle tiers against the upgraded 10g Release 2 (10.1.2) Oracle Internet Directory, you must run configure Oracle Internet Directory using the imconfig script.
For information on using the imconfig script, see Section 4.2.1, "Before Installing the 10g Release 2 (10.1.2) Middle Tier Against a Release 2 (9.0.2) Oracle Internet Directory".
During the Oracle Internet Directory upgrade, LDAP objects within the directory are modified or added to the Oracle Internet Directory. These updates often include access control information.
In a production environment, customized access control policies are often enforced in the directory. For this reason, the upgrade process leaves certain entries in the directory untouched intentionally to retain any customized behaviour you may have implemented in the directory.
Further, in some cases, the default, out-of-the-box access control settings are required for Oracle components to function properly. As a result, after the Oracle Internet Directory upgrade, you should analyze the differences between the default, out-of-the-box access control policies and any custom policies you have implemented. The result of this task should be a new set of customized access control policies that will meet the requirements of Oracle components, as well as the access control polices of your organization.
Even if you have not implemented any customized access control polices, Oracle strongly recommends that you manually update the ACLs with the new default values after an upgrade.
The following example uses "dc=acme, dc=com" as a default realm DN. In this example, consider the following when analyzing the ACL policy for your directory:
Realm DN (eg. dc=acme, dc=com)
Parent of the Realm DN. This is also known as the Realm Search Base, for example, "dc=com".
Realm User container. This is also known as the Realm User Search Base, for examle, "cn=Users, dc=acme, dc=com". Depending on the deployment requirement, this can be customized.
Realm Group container. This is also known as the Realm Group Search Base, for example, "cn=Groups, dc=acme, dc=com". Depending on the deployment requirement, this can be customized.
The out-of-the-box access control policies is available in the following files:
Policies for the Parent of Realm DN can be found in the following file:
$ORACLE_HOME/ldap/schema/oid/oidDefaultSubscriberConfig.sbs
Policies for the Realm DN, Realm User container, and Realm Group container can be found in:
$ORACLE_HOME/ldap/schema/oid/oidSubscriberCreateAuxDIT.sbs
The default ACL policy is described in the Oracle Internet Directory Administrator's Guide, in Chapter 17, in the section on "Default Privileges for Reading Common Group Attributes".
If you upgrade a 9.0.x node to 10g Release 2 (10.1.2) and then try to set up replication for this node, the replication server will fail to come up and the replication setup itself may fail. Therefore, before setting up replication, reset the replication wallet password on the upgraded 10g Release 2 (10.1.2) node by using the following command:
DESTINATION_ORACLE_HOME/bin/remtool -presetpwd -v -bind host:port
This step ensures that the upgrade node can be configured in replication, if required.
If you had an older version (9.0.2 or 9.0.4) of the Directory Integration Platform (DIP) operating in a different Oracle home, on a different computer, and using the Oracle Internet Directory you are currently upgrading, and you want to continue using the DIP, you must re-register the DIP server.
|
See Also: Oracle Identity Management Integration Guide for instructions on registering the DIP server. |
The following post-upgrade steps are required if you have configured OracleAS Portal against this Identity Management and Oracle Internet Directory was upgraded directly from Release 2 (9.0.2):
Apply Interoperability Patches for Oracle9iAS Portal Release 2 (9.0.2)
Reconfigure the OracleAS Portal Instances for the Oracle Internet Directory Server
Refresh the Oracle Delegated Administration Services (DAS) URL Cache
If Oracle Internet Directory was upgraded directly from Release 2 (9.0.2), and you are operating Oracle9iAS Portal Release 2 (9.0.2 or 9.0.2.3), an interoperability patch must be applied to the Oracle9iAS repository, as explained below. This step can be skipped if the Oracle9iAS Portal version is 9.0.2.6 or later:
If you are operating Portal version 9.0.2.0 or 9.0.2.2 (Oracle9iAS 9.0.2.0.1): You must apply Patch 3238095, which corrects problems with registering users and groups in Oracle9iAS Release 2 (9.0.2) Identity Management configuration, and resolves interoperability issues.
If you are operating Portal 9.0.2.3 (Oracle9iAS 9.0.2.3): You must apply Patch 3076511 to resolve interoperability issues.
To apply the patches:
Locate the patch specified for the Portal version you are operating.
Follow the instructions in the patch Readme file.
If Oracle Internet Directory was upgraded directly from Release 2 (9.0.2), and if there are any OracleAS Portal instances using the upgraded Oracle Internet Directory server, they should be reconfigured. Follow these steps to reconfigure OracleAS Portal from a middle tier whose version is 10g (10.1.2):
Change directory to the following location in the destination middle tier Oracle home:
DESTINATION_ORACLE_HOME/portal/conf
Run the following command:
ptlconfig -dad portal_DAD -oid
If the version of your middle-tier is lower than 10.1.2, you must use the Oracle Portal Configuration Assistant command line utility ptlasst to reconfigure OracleAS Portal instances to work with Oracle Internet Directory. Refer to the appropriate version of the Oracle Application Server Portal Configuration Guide for instructions on how to use ptlasst.
The URLs for the Delegated Administration Services are different in Oracle9iAS Release 2 (9.0.2) Oracle Internet Directory server and the Oracle Application Server 10g Release 2 (10.1.2) Oracle Internet Directory server. When the Oracle Internet Directory server is upgraded, these URLs are updated to the correct values. However, OracleAS Portal maintains a cache of these URLs, which does not get upgraded, and is therefore inconsistent with the set of URLs in 10g Release 2 (10.1.2).
If Oracle Internet Directory was upgraded directly from Release 2 (9.0.2), the DAS URL cache will have to be refreshed. The procedure for refreshing the cache is dependent on the OracleAS Portal version you have. To refresh the cache, follow the steps in one of the sections below:
To refresh the URL cache in Version 9.0.2.6 or later:
Log in to the Portal as a Portal administrator.
Click the Administer tab.
Click the Global Settings link in the Services portlet.
Click the SSO/OID tab.
Note the values that appear under the section Cache for OID Parameters.
Click the check box next to Refresh Cache for OID Parameters.
Click Apply.
Verify that the values displayed under Cache for OID Parameters have changed.
Click OK.
To refresh the URL cache in versions prior to 9.0.2.6:
Apply the one-off patch 3225970. This patch is available at:
Clear the Web Cache by performing these steps:
Log in to the Portal as a Portal Administrator.
Click the Administer tab.
Click the Global Settings link in the Services portlet.
Click the Cache tab.
Click the check box next to Clear the Entire Web Cache.
Click OK.
Clear the middle tier cache by performing a recursive delete of all the files and subdirectories inside the following directory:
DESTINATION_ORACLE_HOME/Apache/modplsql/cache
After you upgrade Oracle Internet Directory from 10g (9.0.4) to 10g Release 2 (10.1.2), you could observe some degradation in the performance of some LDAP queries.
To remedy this issue, perform the following procedure, which updates some database statistics in the Oracle Database 10g database that hosts the Oracle Internet Directory server:
In the newly upgraded Oracle Internet Directory Oracle home, execute the following SQL script by connecting to the OID database as the ODS database user:
sqlplus ods/<passwd> @$ORACLE_HOME/ldap/admin/oidstats.sql
Restart the Oracle Internet Directory server as follows:
Run the following command to stop the Oracle Internet Directory server:
opmnctl stopproc ias-component=OID
Wait a few seconds for the Oracle Internet Directory server to shut down completely.
Run the following command to start the Oracle Internet Directory server:
opmnctl startproc ias-component=OID
Similarly, if you are running in an environment where the database that hosts the Oracle Internet Directory is upgraded before you upgrade the Oracle Internet Directory, you should gather the database statistics immediately after the database upgrade by running the following SQL command on the database:
exec dbms_stats.gather_schema_stats('ODS');
When you upgrade Oracle Internet Directory from 10g (9.0.4) to 10g Release 2 (10.1.2), all attributes in the DSA Configuration entry are reset to their default values. For example:
cn=dsaconfig,cn=configsets,cn=oracle internet directory
As a result, if any attributes in this entry were modified before the upgrade, you must reconfigure them to their values before the upgrade.
When you upgrade Oracle Internet Directory from 10g (9.0.4) to 10g Release 2 (10.1.2), some indexes are recreated automatically by the upgrade procedure. For example, the EI_attrstore index is recreated automatically during the upgrade.
As a result, if you recreated the EI_attrstore index before the upgrade, then the index will have to be recreated again after the upgrade. Note that recreating the EI_attrstore index is part of the performance recommendation for large group entry lookups described in section "21.8.1 Optimizing Searches for Large Group Entries" of the Oracle Internet Directory Administrator's Guide. If you performed this procedure prior to the upgrade to 10g Release 2 (10.1.2), you will need to perform this task again after the upgrade.
To complete the OracleAS Single Sign-On upgrade, depending on the configuration upgraded, you may need to perform the tasks described in the following sections:
Section 5.6.5.1, "Re-configuring the OracleAS Single Sign-On Middle Tier"
Section 5.6.5.3, "Installing Customized Pages in the Upgraded Server"
Section 5.6.5.6, "Upgrading the OracleAS Single Sign-On Server with a Customized Middle Tier"
Section 5.6.5.7, "Troubleshooting Wireless Voice Authentication"
Section 5.6.5.8, "Installing Languages in the OracleAS Single Sign-On Server"
Section 5.6.5.9, "Re-Registering OracleAS Portal with the Upgraded OracleAS Single Sign-On Server"
Section 5.6.5.10, "Re-Registering mod_osso with the Upgraded OracleAS Single Sign-On Server"
Section 5.6.5.13, "Removing Obsolete OracleAS Single Sign-On Partner Applications"
If the Release 2 (9.0.2) or 10g (9.0.4) middle tier for the Single Sign-On server had custom configurations (for example, Oracle HTTP Server configured for SSL, or the Oracle Application Server Single Sign-On server Database Access Descriptor had any custom configuration), then you must re-configure the upgraded 10g Release 2 (10.1.2) middle tier in a like manner.
|
See Also: Oracle Application Server Single Sign-On Administrator's Guide for instructions on configuring the middle tier. |
If you are using OracleAS Portal and you reconfigure the 10g Release 2 (10.1.2) middle tier for SSL, the URL used for Oracle Delegated Administration Services might not be up-to-date. To remedy this problem, force a refresh of the portal cache, which holds the relevant Oracle Internet Directory information:
Logon to OracleAS Portal as a user with administrator privileges.
Go to the Builder.
Click the Administration tab.
From the Portal tab, open Global Settings and navigate to the SSO/OID tab.
Scroll to the bottom of the page.
Check Refresh Cache for the Oracle Internet Directory parameters.
Click Apply.
The page should refresh with the appropriate value in the DAS Host Name field.
If the Release 2 (9.0.2) or 10g (9.0.4) middle tier was configured to authenticate with a user certificate or third party authentication mechanism, then you must re-configure the 10g Release 2 (10.1.2) OracleAS Single Sign-On server in a like manner.
|
See Also: Oracle Application Server Single Sign-On Administrator's Guide, Chapter 13, for instructions on configuring the middle tier. |
If you have customized the login, password and the sign-off pages in the Release 2 (9.0.2) or 10g (9.0.4) Single Sign-On server, then you must update those pages with 10g Release 2 (10.1.2) specifications. This is also applicable if you have enabled support for Application Service Providers and updated the deployment login page to enable the company field.
|
See Also: Oracle Application Server Single Sign-On Administrator's Guide, Chapter 12, for instructions on configuring the middle tier. |
|
Note: You do not need to perform this task if you upgraded from an OracleAS Single Sign-On version of 9.0.2.5 or later.You can verify the version of OracleAS Single Sign-On you are running by running the following SQL statement against the OracleAS Single Sign-On database: select version from orasso.wwc_version$; It should return a value like 9.0.2.5.x. |
To avoid ID conflicts while exporting and importing external application data among multiple OracleAS Single Sign-On server instances, external application IDs must be unique. In the Release 2 (9.0.2) release, external application IDs were sequential, and not unique across instances. If you are upgrading from Release 2 (9.0.2) directly to 10g Release 2 (10.1.2), then you must convert existing short external application IDs to the longer format in the OracleAS Single Sign-On schema. Follow the steps below to convert the IDs:
Set the ORACLE_HOME environment variable to the Oracle home of the OracleAS Single Sign-On instance.
Execute the following script from the OracleAS Single Sign-On Oracle home, by using the following commands:
sqlplus orasso/password spool extappid.log @?/sso/admin/plsql/sso/ssoupeid.sql spool off
|
See Also: "Obtaining the Single Sign-On Schema Password" in the Oracle Application Server Single Sign-On Administrator's Guide |
If you are not upgrading OracleAS Portal to 10g Release 2 (10.1.2), but you have upgraded OracleAS Single Sign-On from Release 2 (9.0.2) directly to 10g Release 2 (10.1.2), you must apply a patch to each OracleAS Portal instance that is not going to be upgraded to 10g Release 2 (10.1.2).
Refer to Table 5-5 for the appropriate patch number. Patches are available at:
http://metalink.oracle.com/
If you are using Oracle Internet Directory replication and want to also use OracleAS Single Sign-On replication, add the upgraded 10g Release 2 (10.1.2) tables in the replication group along with 9.0.4 Oracle Internet Directory. Follow the steps below to add OracleAS Single Sign-On tables for replication:
Stop the Oracle Internet Directory replication server on all replicas of the Directory Replication Group.
On the Master Directory replica, in $ORACLE_HOME/ldap/admin, issue the following command:
sqlplus repadmin/password@<mds connect id> @oidrssou.sql
Start the Oracle Internet Directory replication server on all replicas of the Directory Replication Group.
|
See Also: Oracle Internet Directory Administrator's Guide, Chapter 25, "Managing Directory Replication", for instructions. |
If the Release 2 (9.0.2) or 10g (9.0.4) OracleAS Single Sign-On server was using a middle tier other than the default mid-tier installation along with the OracleAS Single Sign-On server, then you must configure that middle tier to point to the upgraded OracleAS Single Sign-On server.
For example, if there was a reverse proxy configured in the Release 2 (9.0.2) or 10g (9.0.4) OracleAS Single Sign-On server middle tier, then you must configure it on the 10g Release 2 (10.1.2) OracleAS Single Sign-On server middle tier.
If you want to use wireless voice authentication with the 10g Release 2 (10.1.2) OracleAS Single Sign-On server, and it doesn't work, verify that the OracleAS Single Sign-On server entry is a member of the Verifier Services Group in Oracle Internet Directory (cn=verifierServices,cn=Groups,cn=OracleContext). This is a requirement for the wireless voice authentication feature. Follow the steps below to verify membership:
Issue the following command:
ldapsearch -h host -p port -D "cn=orcladmin" -w password -b "cn=verifierServices, cn=Groups, cn=OracleContext" "objectclass=*"
The OracleAS Single Sign-On server is a member of the Verifier Services Group if it is listed as a uniquemember in the entry, as shown in Example 5-1.
If you did not select any languages during the OracleAS Single Sign-On upgrade, or you want to install additional languages after the upgrade, you can install the necessary languages by following the steps below.
Copy the necessary language files from the Repository Creation Assistant CD-ROM to the OracleAS Single Sign-On server Oracle home:
copy repCA_CD/portal/admin/plsql/nlsres/ctl/lang\*.* DESTINATION_ORACLE_HOME/sso/nlsres/ctl/lang
In this example, lang is the language code. For example, the language code for Japanese is ja.
Load the languages into the server.
|
See Also: Oracle Application Server Single Sign-On Administrator's Guide, Chapter 2, "Configuring Globalization Support" section, for instructions on loading the languages. |
After performing a distributed Identity Management upgrade (depicted in Figure 5-2 and Figure 5-3) from Oracle9iAS Release 2 (9.0.2) to Oracle Application Server 10g Release 2 (10.1.2), the OracleAS Single Sign-On schemas are relocated in the Oracle Internet Directory database. OracleAS Portal keeps a database link reference to the OracleAS Single Sign-On server password store schema ORASSO_PS. This link reference must be updated.
To re-register OracleAS Portal with the upgraded OracleAS Single Sign-On server from a middle tier whose version is 10g (10.1.2):
Change directory to the following location in the destination middle tier Oracle home:
DESTINATION_ORACLE_HOME\portal\conf
Run the following command:
ptlconfig -dad portal_DAD -sso
|
See Also: Oracle Application Server Portal Configuration Guide, for more information about theptlconfig tool
|
If the version of your middle-tier is lower than 10.1.2, you must use the Oracle Portal Configuration Assistant command line utility ptlasst to reregister OracleAS Portal with Oracle Single Sign-On. Refer to the appropriate version of the Oracle Application Server Portal Configuration Guide for instructions on how to use ptlasst.
After performing a distributed Identity Management upgrade (depicted in Figure 5-2 and Figure 5-3) from Oracle9iAS Release 2 (9.0.2) to Oracle Application Server 10g Release 2 (10.1.2), you may need to re-register mod_osso in order for an Oracle9iAS Release 2 (9.0.2) middle tier to operate with the upgraded OracleAS Single Sign-On server.
You will need to do this if the Oracle HTTP Server host and port information for mod_osso was changed. Before re-registering mod_osso, you must first set the value of the ColocatedDBCommonName attribute in the following configuration file to the global database name of the new OracleAS Single Sign-On server database shared with Oracle Internet Directory (for example, iasdb.host.mydomain).
SOURCE_ORACLE_HOME/config/ias.properties
If you upgraded an Identity Management configuration that was in use by Oracle9iAS Discoverer Release 2 (9.0.2), and you want to continue operating Oracle9iAS Discoverer Release 2 (9.0.2) with the upgraded Identity Management, then you must change the value of the ColocatedDBCommonName attribute in the following configuration file:
SOURCE_ORACLE_HOME/config/ias.properties
The value must be changed to the global database name of the database used by the upgraded Oracle Internet Directory (for example, iasdb.oid_host_name.domain).
If you are upgrading OracleAS Single Sign-On server from Release 2 (9.0.2) to 10g Release 2 (10.1.2) and you are using the inactivity timeout feature, then you must do the following:
Upgrade associated mid-tiers used by other applications, such as Portal, to 10g Release 2 (10.1.2).
Re-register mod_osso to ensure that inactivity timeout cookie issued by 10g Release 2 (10.1.2) OracleAS Single Sign-On server can be interpreted and used by associated mid-tiers to enforce inactivity timeout.
After the upgrade, you will notice additional partner applications on the OracleAS Single Sign-On Partner Application administration page.
For example, you will notice two Oracle Application Server Certificate Authority (OCA) partner applications and two OracleAS Wireless partner applications.
You can safely remove the 10g (9.0.4) OCA partner application that uses port 4400.
As for the OracleAS Wireless partner applications, the 10g Release 2 (10.1.2) Oracle HTTP Server configuration is changed after during the upgrade to use the 10g (9.0.4) HTTP Server port; this partner application is not valid and can be removed. The valid OracleAS Wirelesspartner application is the upgraded partner application, which existed in the 10g (9.0.4) environment.
After you use Oracle Universal Installer and the 10g Release 2 (10.1.2.0.2) installation procedure to upgrade Oracle Application Server Certificate Authority (OCA), verify the following database settings:
|
See Also: "Configuring Oracle Application Server Certificate Authority" in the Oracle Application Server Certificate Authority Administrator's Guide |
The following sections describe the tasks you must perform in order to complete the Oracle Application Server Wireless upgrade:
Section 5.6.7.1, "Upgrading Wireless User Accounts in Oracle Internet Directory"
Section 5.6.7.4, "Activating All OracleAS Wireless 10g Release 2 (10.1.2) Features"
Section 5.6.7.5, "Assigning Change Password Privilege to OracleAS Wireless"
Section 5.6.7.6, "Specifying URL Query Parameters for Wireless Services That Use the HTTP Adapter"
In Oracle Application Server Wireless Release 2 (9.0.2), user account numbers and PINs for wireless voice authentication were stored in the Wireless repository.
In Oracle Application Server Wireless 10g Release 2 (10.1.2), new attributes are added in the object definition of the orcluserV2 object class of Oracle Internet Directory to store the account number and PIN. As part of the Oracle Application Server Wireless upgrade from Release 2 (9.0.2) to 10g Release 2 (10.1.2), user account numbers and PINs must be transferred from the Wireless repository to Oracle Internet Directory.
This upgrade step can be performed only after the Oracle Application Server Infrastructure and all middle tiers are upgraded to 10g Release 2 (10.1.2). If they are not upgraded, the Oracle Application Server Wireless server will continue to authenticate voice devices locally (without Oracle Application Server Single Sign-On).
To upgrade the account numbers and PINs:
Issue the command:
DESTINATION_ORACLE_HOME/wireless/bin/migrate902VoiceAttrsToOID.sh DESTINATION_ORACLE_HOME ldapmodify_location userdn password dif_file_location log_file
In this example:
ldapmodify_location is the location of the ldapmodify utility, which is usually in the bin directory of the destination Oracle home.
user_dn is the DN of the Oracle Internet Directory administrator user
password is the password of the Oracle Internet Directory administrator user
ldif_file_location is the absolute path to the ldif (Lightweight Directory Interchange Format) file. This file contains user account numbers and PINs and is uploaded to Oracle Internet Directory by the ldapmodify utility. This temporary file may be removed after the user upgrade procedure has been completed successfully.
log_file is the absolute path to the log file
Example:
migrate902VoiceAttrsToOID.sh
/dua0/oracle/as904/
/dua0/oracle/as904/bin/ldapmodify
"cn=orcladmin"
welcome1
/dua0/oracle/as904/users.ldif
/dua0/oracle/as904/users.log
In 10g Release 2 (10.1.2), Oracle Internet Directory does not automatically set unique constraints on any user attributes. Wireless voice authentication will not function properly unless a unique constraint is set on the orclWirelessAccountNumber attribute of the orclUserV2 object class.
Set the unique constraint by performing the steps below after the middle tier and infrastructure upgrades are complete.
Execute the script addAccountNumberUniqueConstraint.bataddAccountNumberUniqueConstraint.sh, which is located in the following directory:
DESTINATION_ORACLE_HOME/wireless/bin
The script takes one argument, the full path to the Oracle home. For example:
addAccountNumberUniqueConstraint.sh DESTINATION_ORACLE_HOME
Restart the Oracle Internet Directory server.
When Oracle Application Server Wireless 10g Release 2 (10.1.2) is installed against an Oracle9iAS Release 2 (9.0.2) infrastructure, a number of triggers are automatically installed, that ensure that both Oracle9iAS Wireless Release 2 (9.0.2) and Oracle Application Server Wireless 10g Release 2 (10.1.2) middle tiers can function correctly. Once all Oracle9iAS Wireless Release 2 (9.0.2) middle tiers and the infrastructure tier have been upgraded to Oracle Application Server Wireless 10g Release 2 (10.1.2), you must execute the following script to disable any upgrade-related triggers.
disable902-904_trg.sh
This script is located in the following directory:
DESTINATION_ORACLE_HOME/wireless/bin
You must set the ORACLE_HOME environment variable before you execute the script.
When Oracle Application Server Wireless 10g Release 2 (10.1.2) is installed against an Oracle9iAS Release 2 (9.0.2) Infrastructure, a number of features are disabled by default, as they are not compatible with existing Oracle9iAS Wireless Release 2 (9.0.2) middle tiers that are installed against the same Infrastructure. After all Oracle9iAS Wireless Release 2 (9.0.2) middle tiers have been upgraded to Oracle Application Server Wireless10g Release 2 (10.1.2), you can manually enable these features. Once you have enabled these features, the Oracle9iAS Wireless Release 2 (9.0.2) middle tiers will no longer function correctly.
Enable the Oracle Application Server Wireless 10g Release 2 (10.1.2) features by executing the following script from any of the Oracle Application Server Wireless 10g Release 2 (10.1.2) middle tiers, using the command below. This script is in the following directory of the destination Oracle home:
DESTINATION_ORACLE_HOME/wireless/bin
The command takes the following arguments:
upload.sh wireless_repository_location -l wireless_user_name/wireless_password
In this example:
wireless_repository_location is the relative path to the OracleAS Wireless XML-based repository
wireless_user_name is the name of the Oracle Application Server Wireless user
wireless_password is the password of the Oracle Internet Administrator
For example:
upload.sh ../repository/xml/activate-9040.xml -l orcladmin/welcome1
In Oracle Application Server 10g Release 2 (10.1.2), by default, the OracleAS Wireless application entity does not have the privileges to change the user password. Consequently, upon installation, users cannot change the password to the OracleAS Wireless server. However, you can enable functionality to change passwords by assigning the UserSecurityAdmins privilege to the OracleAS Wireless application entity.
To do this, execute the following script:
DESTINATION_ORACLE_HOME/wireless/bin/assignUserSecurityAdminsPrivilege.sh
The syntax is:
assignUserSecurityAdminsPrivilege.sh oid_super_user_dn user_password
In this example:
oid_super user_dn is the Distinguished Name of the Oracle Internet Directory super user. This user should have privileges to grant UserSecurityAdmins privileges to application entities.
user_password is the password of the Oracle Internet Directory super user.
For example:
assignUserSecurityAdminsPrivilege.sh "cn=orcladmin" welcome1
|
See Also: "Resetting the Password" in Oracle Application Server Wireless Administrator's Guide |
When you use the HTTP adapter to build Wireless services, one of the service parameters that you must specify is the URL to a back-end application. In some cases, you may send some query parameters to the back-end application. There are two ways to do this from OracleAS Wireless, shown in Example 5-2 and Example 5-3. In Example 5-2, the parameter name is fn and the value is Joe.
The query parameter is sent only in the request for the first page of that service. If there is a link from the first page to some other pages, then the parameter is not added to the request for those pages.
Instead of modifying the URL, you add an extra service parameter with name fn and value Joe. The the parameter is sent to all pages, not just the first one. The parameter is also sent with all HTTP redirect requests. However, this method also sends extra URL parameters to the OracleAS Single Sign-On server, which causes the server to return an error.
The error occurs when the back-end application is protected by mod_osso. In that case, the request to that application is intercepted and redirected to the Oracle SSO server for user authentication. The OracleAS Single Sign-On server has restrictive rules concerning query parameters that can be sent to it. Consequently, for back-end applications protected by mod_osso, you must change the Wireless service and add the query parameter to the URL as shown in Example 5-2.
The Oracle Enterprise Manager 10g Database Control provides a Web-based console you can use to manage Oracle Database 10g. When your OracleAS Metadata Repository is installed in an Oracle Database 10g instance, you can use the Database Control to manage your OracleAS Metadata Repository database.
|
See Also: "Managing the OracleAS Metadata Repository Database with Database Control" in the Oracle Application Server Administrator's Guide |
However, after you use Oracle Universal Installer to upgrade OracleAS Identity Management in a colocated Infrastructure, the OracleAS Metadata Repository database is automatically upgraded to Oracle Database 10g, but the Database Control is not configured automatically.
Instead, if you want to use the Database Control to manage your upgraded OracleAS Metadata Repository database, you must configure the Database Control manually using the Enterprise Manager Configuration Assistant (EMCA).
|
See Also: "Configuring the Database Control with EMCA" in Oracle Enterprise Manager Advanced Configuration |
This section describes the steps you must perform after the Identity Management Upgrade to ensure that the upgrade was successful.
After the Identity Management upgrade is complete, log in to Oracle Application Server Single Sign-On as user ORCLADMIN. A successful login indicates that Oracle Application Server Single Sign-On and Oracle Internet Directory are functioning after the Identity Management upgrade.
In a browser, access the Oracle Enterprise Manager 10g Application Server Control Console in the destination Infrastructure Oracle home by entering its URL. Ensure that you provide the correct host name and port number. For example:
http://infrahost.mycompany.com:1812
Oracle Enterprise Manager 10g displays the Farm page, with the Oracle Application Server 10g Release 2 (10.1.2) Identity Management instance in the Standalone Instances section.
Click the link for the Identity Management instance.
The System Components page appears.
Verify that the status of the Oracle HTTP Server, Oracle Internet Directory, and Oracle Application Server Single Sign-On components is Up.
In the browser, access the ORASSO page by entering its URL. Ensure that you enter the correct host name and port number for the upgraded Oracle HTTP Server. For example:
http://infrahost.mycompany.com:7777/pls/orasso/ORASSO.home
The ORASSO page appears.
Click the Login link (in the upper right corner of the page).
A page appears with User Name and Password fields.
Enter ORCLADMIN in the User Name field, and the password you have selected for ORCLADMIN in the Password field.
Click Login.
The Oracle Application Server Single Sign-On Server Administration page appears, thus validating the basic operation of the upgraded Identity Management components (Oracle Application Server Single Sign-On and Oracle Internet Directory).
If you have upgraded Oracle Application Server Certificate Authority (OCA), you can verify that the upgrade completed successfully by accessing the OCA User page.
Open your Web browser and enter the following URL:
https://infrahost.mycompany.com:6600/oca/user
Check to be sure that you can log in as a regular user and view the user's existing certificates. This ensures that OCA is working with Oracle Internet Directory and OracleAS Single Sign-On.
|
Note: After the upgrade, you will notice two OCA partner applications in the OracleAS Single Sign-On Partner Application administration page. One is the partner application for the 10g (9.0.4) OCA installation and the other is the partner application for the upgraded 10g Release 2 (10.1.2) OCA installation.The original partner application can be removed. The upgraded OCA will be running on port 6600 after upgrade, instead of port 4400. |
After you upgrade your OracleAS Identity Management Oracle home, the source Oracle home can eventually be deinstalled. However, before you deinstall the source Oracle home, review the following sections carefully:
If you upgraded OracleAS Identity Management as part of a colocated Infrastructure, then you also upgraded the OracleAS Metadata Repository database to a supported database version.
After you upgrade the OracleAS Metadata Repository database using the OracleAS Upgrade Assistant, the datafiles, control files, and log files for the database remain in the source Oracle home. Before you deinstall or remove the Oracle home, you must first relocate the database files.
If there are application files or log files in the source Oracle home that are being referenced or used by the destination Oracle home, you should move them to another location before you decommission the source Oracle home, and, in the destination Oracle home, change any references to the files to the new location.
If you have 9.0.2 or 9.0.3 and 10g Release 2 (10.1.2) instances on the same computer, and you want to deinstall a 9.0.2 instance, review the information in Section 4.9.4, "Deinstalling a Release 2 (9.0.2) or Release 2 (9.0.3) Source Oracle Home".
When you are certain that the upgrade was successful, you have all of the necessary backups, and have no plans to revert to the source Oracle home, you may elect to remove the files from the source Oracle home. Use the Oracle Universal Installer to deinstall the instance.
Note, however, that deinstalling an Oracle9iAS Release 2 (9.0.2) or (9.0.3) instance when there is also an OracleAS 10g Release 2 (10.1.2) instance on the computer requires a patch. Before you deinstall such an instance, be aware of the issues associated with this deinstallation that may apply to your configuration.
